[NEWS] Linksys EtherFast Security Vulnerability (Username and Password Disclosure)
From: support@securiteam.comDate: 08/03/01
- Next message: support@securiteam.com: "[TOOL] Jail Chroot Project"
- Previous message: support@securiteam.com: "[NEWS] Mathematica License Manager Hostname Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Linksys EtherFast Security Vulnerability (Username and Password Disclosure) Message-Id: <20010803123729.98B4B13902@mail.der-keiler.de> Date: Fri, 3 Aug 2001 14:37:29 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Linksys EtherFast Security Vulnerability (Username and Password
Disclosure)
------------------------------------------------------------------------
SUMMARY
The Linksys "EtherFast 4-Port Cable/DSL Router" has a security flaw in its
design. Passwords for the router and the users ISP account can be viewed
in the HTML source code stored on the router.
DETAILS
The login passwords for both the router and the users ISP are passed to
the routers configuration pages. While they cannot be viewed directly in
the browser window the passwords are in "clear text" if viewed via the
HTML source code. This may lead to a compromise of the router and the
user's ISP account. The pages in question are index.htm, which contains
the users ISP logon and password, and Passwd.htm, which contains the
password for the router.
If combined with a "sniffer" attack, the source code (with passwords) can
be viewed during transmission to the administrator's browser.
(Note: The transmissions can only be "sniffed" within the LAN behind the
router.)
Exploit:
There is no exploit code needed to exploit this vulnerability. The
passwords are stored and transmitted in "clear text" within the HTML
source.
Sections of offending code (code formatted for easier viewing):
On index.htm:
--- code cut ---
<b>User Name: </b></font><input name=pppoeUName size=20
maxlength=63 value=USERS_ISP_LOGIN_HERE>
</td></tr><tr><th bgcolor=6666cc> </th>
<td> <font face=verdana size=2><b>Password:
</b></font><input type=password name=pppoePWD size=20 maxlength=63
value=USERS_ISP_PASSWORD_HERE></td>
--- end code cut ---
On Passwd.htm:
--- code cut ---
<br>Router Password: </th><td> <br>
<input type=password name=sysPasswd size=25 maxlength=63
value=ROUTER_PASSWORD_HERE>
<font color=blue face=Arial size=2>
(Enter New Password)</td></tr> <tr><th bgcolor=6666cc align=right><font
color=white face=Arial size=2> </th> <td>
<input type=password name=sysPasswdConfirm size=25 maxlength=63
value=CONFIRM_OF_ROUTER_PASSWORD_HERE>
--- end code cut ---
Possible solution:
A suggested solution for this problem is not to transmit the passwords to
the offending pages. Instead, keep them stored in the router, and only
allow for the update of passwords on the pages (if desired by the user).
This particular solution is not possible without a vendor patch. There has
been no response from Linksys.
ADDITIONAL INFORMATION
The information has been provided by <mailto:hypoclear@jungle.net>
hypoclear.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[TOOL] Jail Chroot Project"
- Previous message: support@securiteam.com: "[NEWS] Mathematica License Manager Hostname Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
